VPN Troubleshooting Tools

Applies To: Windows Server 2008

You can use the following tools and commands to troubleshoot virtual private network (VPN) connections:

TCP/IP troubleshooting tools

The Ping, Tracert, and Pathping tools use ICMP Echo and Echo Reply messages to verify connectivity, display the path to a destination, and test path integrity. The route print command can be used to display the IP routing table. Alternatively, you can use the netsh routing ip show rtmroutes command or the Routing and Remote Access snap-in.

In addition to the TCP/IP tools, use the Netdiag tool to test and display your network configuration.

Unreachability reason

When a demand-dial interface fails to make a connection, the interface is left in an unreachable state and the Routing and Remote Access service records the reason the connection attempt failed. To view the unreachable reason in the Routing and Remote Access snap-in, click Network Interfaces. In the details pane, right-click the demand-dial interface, and then click Unreachability Reason.

Authentication and accounting Logging

You can log authentication and accounting information for remote access connections in local logging files using Network Policy Server (NPS). This logging is separate from the events recorded in the system event log and can be used to track remote access usage and authentication attempts. For more information, see "RADIUS accounting" in NPS Help.

Event Logging

On the Logging tab in the properties of a VPN router in the Routing and Remote Access snap-in, there are four levels of logging. Select Log all events, and then try the connection again. After the connection fails, check the system event log for events logged during the connection process. After you have viewed remote access events, select the Log errors and warnings option on the Logging tab to conserve system resources.

PPP logging

PPP logging records the series of programming functions and PPP control messages during a PPP connection and is a valuable source of information when you are troubleshooting the failure of a PPP connection. To enable PPP logging, select the Log additional Routing and Remote Access information option on the Logging tab on the properties of a remote access server.


The Routing and Remote Access service in Windows Server® 2008 has an extensive tracing capability that you can use to troubleshoot complex network problems. You can enable the components in Windows Server 2008 to log tracing information to files using the Netsh command or through the registry.

Enabling tracing with Netsh

You can use the Netsh command to enable and disable tracing for specified components or for all components. To enable and disable tracing for a specific component, use the following syntax:

netsh ras set tracingComponentenabled|disabled

where Component is a component in the list of Routing and Remote Access service components found in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing. For example, to enable tracing for the RASAUTH component, the command is:

netsh ras set tracing rasauth enabled

To enable tracing for all components, use the following command:

netsh ras set tracing * enabled

Enabling tracing through the registry

You can also configure the tracing function by changing settings in the registry under:


You can enable tracing for each Routing and Remote Access service component by setting the registry values described later. You can enable and disable tracing for components while the Routing and Remote Access service is running. Each component is capable of tracing and appears as a subkey under the preceding registry key.

To enable tracing for each component, you can configure the following registry entries for each protocol key:

EnableFileTracing REG_DWORD Flag

You can enable logging tracing information to a file by setting EnableFileTracing to 1. The default value is 0.

FileDirectory REG_EXPAND_SZ Path

You can change the default location of the tracing files by setting FileDirectory to the path you want. The file name for the log file is the name of the component for which tracing is enabled. By default, log files are placed in the SystemRoot\Tracing folder.

FileTracingMask REG_DWORD LevelOfTracingInformationLogged

FileTracingMask determines how much tracing information is logged to the file. The default value is 0xFFFF0000.

MaxFileSize REG_DWORD SizeOfLogFile

You can change the size of the log file by setting different values for MaxFileSize. The default value is 0x10000 (64K).


Tracing consumes system resources and should be used sparingly to help identify network problems. After the trace is captured or the problem is identified, you should immediately disable tracing. Do not leave tracing enabled on multiprocessor computers. Tracing information can be complex and very detailed. Most of the time this information is useful only to Microsoft support professionals or to network administrators who are very experienced with the Routing and Remote Access service. Tracing information can be saved as files and sent to Microsoft support for analysis.

Oakley logging

You can use the Oakley log to view details about the Internet Protocol security (IPsec) security association (SA) negotiation process. The Oakley log is enabled in the registry. It is not enabled by default. To enable the Oakley log, set the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Oakley\EnableLogging registry setting to 1. The Oakley key does not exist by default and must be created.

After it is enabled, the Oakley log, which is stored in the SystemRoot\Debug folder, records all IPsec SA negotiations. A new Oakley.log file is created each time the IPsec Policy Agent is started and the previous version of the Oakley.log file is saved as Oakley.log.sav.

To activate the new EnableLogging registry setting after modifying its value, stop and start the IPsec Policy Agent and related IPsec services by running the following sequence of commands:

  1. Stop the Routing and Remote Access service using the net stop remoteaccess command.

  2. Stop the IPsec services using the net stop policyagent command.

  3. Start the IPsec services using the net start policyagent command.

  4. Start the Routing and Remote Access service using the net start remoteaccess command.

Network Monitor

Use Network Monitor, a packet capture and analysis tool supplied with Windows Server 2008, to capture and view the traffic sent between VPN routers during the VPN connection process and during data transfer. You cannot interpret the encrypted portions of VPN traffic with Network Monitor. Download and install Network Monitor from the Microsoft Download Center (https://go.microsoft.com/fwlink/?LinkID=92844).

Interpretation of the VPN traffic with Network Monitor requires an in-depth understanding of PPP, PPTP, IPsec, and other protocols. Network Monitor captures can be saved as files and sent to Microsoft support for analysis.